My take on 2016 SANS State of Application Security Report

SANS, an awesome organization that provides security courses and certifications internationally recognized, published a 2016 State of Application Security: Skills, Configurations and Components report. And despite not having balanced types of companies based on their industries (the majority of companies are primarily from the financial industry) and that SANS is naturally interested in promote the need of security awareness because of their business model, this report brought some interesting findings that I'd like to highlight here:

Application Security Isn't Mature

After all those hacks and damage to companies that we've seen in the news, more than 40% of the surveyed companies are still immature or have no application security program at all. And only 3.5% claim to be "very mature". I really wonder what needs to happen for those to start considering security. Perhaps the optimism bias is stronger than I thought.

And looking at the data it's possible to see more clearly who don't care more than who. And the award goes to Health Care industry, with 70% of respondents who classified their application security program as 'immature'. Or the award should go to the Education industry with 50% 'immature' programs and more 17% that don't even have plans for application security at all.

Lower interest to protect commercial applications

Looking at the graph above (found on page 11) is possible to see an interesting pattern. The effort put to protect applications that the company doesn't have access to the source code (commercial software) is only half of what is put to protect developed in-house applications (with access to the source code).

For attackers it means that attacking commercial applications have 2x more chances of succeeding. Quite scary, huh?

Vendors are now required to follow security policies

In the 2016 survey, 40% of respondents have documented approaches and policies that third-party software vendors must adhere to, while in 2015, only 28% had any comprehensive vendor risk-management program.

It's getting tougher for vendors to be approved without security. I wrote about how security makes you money and mentioned that security is now part of the business. If you forget security, chances are you will lose all the (serious) RFPs.

Notes

There are other findings in this report of course, but these are the ones that grabbed my attention as more 'not so obvious' points. There is another important finding that explains that the top challenge of security programs is the lack of skills or education, but this is expected, so no kudos for this finding.

Hope you have enjoyed and take your time to read the report and discover other interesting findings.